cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
67755
Views
25
Helpful
49
Replies
Highlighted
Beginner

Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

I have encounter a starange situation with Yosemite and Cisco AnyConnect Secure Mobility Client (all recent versions including latest 3.1.05187).

If the mac is using the internet connection of the iPhone (via Bluetooth or WiFi), when I connect with the client everything stops working, from the Internet to the traffic over the tunnel, we are using Split Tunnel with Split DNS for our internal addresses. Somehow the DNS is not working anymore.

I can ping via IP but not by name, also cannot ping any address from internet unless I add again manually the default route.

 

Anybody encounter this problem?   

49 REPLIES 49
Highlighted
Beginner

All - I have a solution for this problem. 

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".  

For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel. 

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Good luck!

-Tim

Highlighted

Sorry, but this does not solve the issue for us.  This is the exact configuration we already have and we have had it from the beginning of this problem appearing.  This is clearly an incompatibility with Anyconnect and Yosemite.  The ONLY success I have had is with a pocket router in between my iPhone Hotspot and my laptop running Yosemite.  It is an ugly hack, but at least I am portable(ish) again.

Highlighted

Hi David -

i used this solution for 6 different customers of mine today and it universally solved it. Check your splittunnel settings   across the board as well as DNS and domain name related bits in your group profile. Feel free to post your webvpn config too. 

Highlighted

Tim - I have the same configuration as razvan1979 and it does not work

Highlighted

Which AnyConnect and OS X versions? I'm on 3.1.06073 and 10.10.1 respectively. 

Highlighted

Hello Tim,

I have the same version mate, exactly the same, maybe something is missing in my config! 

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

cat /etc/resolv.conf
cat: /etc/resolv.conf: No such file or directory
 

group-policy GP-XXX internal
group-policy GP-XXX attributes
 dns-server value 172.xx.xx.xx 10.xx.xx.xx
 vpn-simultaneous-logins 2
 vpn-idle-timeout 60
 vpn-filter value ACL-XXX
 vpn-tunnel-protocol ikev2 ssl-client
 group-lock value TN-XXX
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITUNNEL
 split-dns value  hs2 dc2 office qxlint
 address-pools value VPNPOOL-XXX

 

 

 

 

 

 

Highlighted

I've managed to get the "split-tunnel-all-dns disable" workaround working on one of my ASAs, but not on the other. Apparently, asa version 9.0 or better is required.

 

More detail in recent post here: https://discussions.apple.com/thread/6728046

Highlighted

Strange because I have this type of config from the start, because we use Split-DNS!

Highlighted

hi tim can you please guide me to find AnyConnect Group Policy for me to try the solution

Highlighted

As above OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection. Adding the local domain name/DNS lookup setting (which is unchanged in this instance) as per tim.economides suggestion appears to resolve the issue (after initial testing)!

Highlighted

Same issue here.   As an end user, I apparently don't have access to the Group Policy to edit it.

Highlighted

I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

Highlighted

OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection - when VPN active - Internet/DNS/Local Network unavailable - the problem is still as per razvan1979's original observation.

Highlighted

Gentlemen,

Seems that we have a solution. Try to follow this picture to enable client bypass protocol. It works for us

OR

enter "client-bypass-protocol enable" in group-policy attributes section using CLI

View solution in original post

Highlighted

This would require an expensive update for us. What version ASDM are you running?